GDPR implementation part 3: Mapping our “world”

This is the third post in our series on Runbox’ GDPR implementation.

After having structured our GDPR project, the next piece of necessary groundwork was to map out status on relevant facts about important areas of our business. The reason is that it’s impossible to establish and maintain good security and privacy – and to determine GDPR compliancy — if the “territory” is not clearly described.

The “territory”

The “territory” in question was foremost and first of all,

  • The email service delivery system, that is the Webmail and backend systems and files – the development platform that is used, the components of which the system is built, the dependencies between the components, description of access points etc. – while being well aware of that the GDPR compliancy also includes Privacy of Design requirements.

Other realms that are necessary to describe were for example:

  • The economic system in which the company operates; i.e. mapping out the network of organizations with which our company is involved – including partners, associates, suppliers, financial institutions, government agencies, and so on – in order to serve our customers.
  • Server infrastructure with all physical links and channels, and not the least: All software components.
  • Data networks, including how and where our serves are connected to the Internet, but also the Local Area Network at our premises.
  • Data catalogue, including of course all personal data, that is, what kind of data are registered on customers and also employees and partners/associates as well.
  • Applications of all sorts necessary to run the company – applications that are managerial of nature.

Level of description

One problem encountered is how detailed the descriptions should be. Too many details will make the job unnecessarily big in the first place, followed by a lot of maintenance to keep the documentation current.

We chose to start with a “helicopter view”, to obtain an overview of the different realms with the intention to fine-grain the documentation depending on the requirements of the ultimate goal: To identify areas where privacy and security is of concern, ticking off issues that are well taken care of in light of the GDPR, or followed up with measures to improve the situation to achieve GDPR compliancy.

Of course, the GDPR Implementation Project is not a sequential one, as development projects seldom are. Therefore, from time to time we had to go back and adjust our planning tools when needs arose.

The next blog post in this series will concern our Information Security Policy.

Continue Reading →

Runbox Two-Factor Authentication

Runbox recently launched Two-Factor Authentication (2FA). 2FA is a log in procedure where an additional piece of information is required in addition to your username and account password.

This additional factor is a code that can only be used once, or for a limited period of time.

Two-Factor Authentication
Runbox Two-Factor Authentication

Runbox 2FA currently supports Timed One-Time Passwords (TOTP) and One-Time Passwords (OTP) as additional factors. We are planning to expand this with Yubikey or U2F support.
 

Runbox is the only 2FA-enabled email provider in Norway

NorwayRunbox is located in Norway, which has some of the strongest privacy regulations in the world.

By choosing Runbox as your email provider, your data will be protected by these regulations while ensuring your email is secure from unauthorized access.

Read on to find out how Runbox 2FA works and which options are available.

 

Timed One-Time Passwords (TOTP)

2FA Timed One-Time Passwords
2FA Timed One-Time Passwords

To use this option you will need a smartphone and some free software.

Timed one-time passwords works by giving you a login code which changes over time, in addition to your password.

To get started, download a TOTP app such as Authy, FreeOTP or Google Authenticator onto your mobile phone and follow their instructions.

Note: It is essential that your smartphone has the correct date/time set as this is used by the TOTP app to generate the correct codes that allow you to log in.

 

One-Time Passwords (OTP)

2FA One-Time Passwords
2FA One-Time Passwords

When you enable this option, the system will generate random passwords that you can use only once. Used passwords are discarded automatically and cannot be used again.

You can download the the list of passwords to a computer or mobile device, or you can print them out if necessary. However, you must keep the list secure as these passwords can be used to access your account along with your usual username and account password.

 

 

Trusted browsers

2FA Trusted Browsers
2FA Trusted Browsers

This option allows the server to trust your current web browser so that you don’t have to use a 2FA code. The option places a small piece of code in your browser (a cookie) that tells the server not to require the 2FA details and you can just log in with username and password.

You should only use this method of bypassing 2FA on a computer or device that you are confident nobody else can log in to. You can temporarily turn on/off individual browsers from the trusted list, or you can delete the browser entry entirely which will force that browser to require the 2FA details.

 

Unlock code

2FA Unlock Code
2FA Unlock Code

If for some reason you are unable to log in with 2FA after it has been enabled, this code can be used to disable 2FA.

The code can be used in conjunction with a secure question/answer for additional security.

 

 

Continue Reading →

New Account Security features launched

We are excited to announce the launch of a new Account Security interface with Two-Factor Authentication (2FA) for Runbox.

This completes more than a year of development, and we are quite proud of the result. The new features will significantly improve the security of your Runbox account when you activate them.

Account Security features

The new Account Security interface includes 4 main features: Two-Factor Authentication, Manage Services, App Passwords, and Last Logins.

Used separately or in combination, these features add extra layers of security to your Runbox account.

Two-Factor Authentication

Two-Factor Authentication (2FA) is a log in procedure where an additional piece of information is required in addition to your username and account password.

This additional factor is a code that can only be used once, or for a limited period of time.

Two-Factor Authentication
Runbox Two-Factor Authentication

Runbox 2FA currently supports Timed One-Time Passwords (TOTP) and One-Time Passwords (OTP) as additional factors. We are planning to expand this with Yubikey or U2F support.

Manage Services

The new Account Security interface lets you disable various services such as IMAP, POP, and SMTP. These are the services you use when using an email app/program to access your mail.

By disabling services you are not using, you prevent attempts at unauthorized access to your account via those services.

App Passwords

You can also set up unique passwords for each of your apps or devices, giving you complete control over the access to your account.

If you then happen to lose a device you can simply delete the corresponding app password, effectively disabling access from that device.

Last Logins

This section shows a list of the most recent login attempts to your account from each service such as web, IMAP, POP, and SMTP.

If you suspect that there have been unauthorized login attempts to your account, you can review this list and take appropriate action.

How to set up Account Security features

To get started, just go to the Account Security screen to set up 2FA and the other security features.

We encourage you to review our Account Security help page for details about the new functionality first. This will ensure that you understand how 2FA works and prevent you from getting locked out of your account.

We welcome any questions or feedback you might have, either as comments to this blog post or via our contact form or support system.

Continue Reading →

How To Use Email Securely

Much has been said and written in the media recently regarding email, and here at Runbox we’d like to take the opportunity to help make it all a bit more understandable.

What is email, anyway?

Email, or electronic mail, is the most common method of exchanging digital messages.

It is easily the most flexible online messaging service available, because it lets users send and receive unlimited text, multimedia, and other files to anyone with an email address anywhere in the world.

Email was invented in the 1960s and is still one of the most popular services currently available via the Internet, with over 90% of US Internet users actively using email.

How does email work?

Email systems consist of computers and devices that are connected via the Internet. These computers and devices can be servers that process and store electronic mail, or clients such as laptops and smartphones that are used to send and receive email.

Email clients and server Email clients connected to a server

When someone sends an email, the message is transferred from his or her device to a server that processes the message.

Based on the recipient email address, the server finds out where to send the message next.

This is usually to another server associated with the recipient’s address, and often via a number of other servers that act as dispatchers.

There are many different types of email software that can send, receive, and store email. If you use a computer or a smartphone, you might be familiar with software such as Outlook, Apple Mail, or Thunderbird.

Where is my email actually stored?

Because the volume of email is so large, email clients typically let servers store all the email that is received and sent and only download messages when they are opened.

This is very convenient because the server can then do resource intensive things like filtering out spam and viruses, and other kinds of sorting and processing.

Another important reason for keeping emails stored on a server is that it lets more than one client access the same messages.

For instance, you can set up your laptop, your tablet, and your smartphone to access all the email that is stored in your account on the server. You can also use a webmail in your web browser, which essentially works as an email client.

This means that your email will be synchronized across all your devices, without you having to do anything manually.

You can read more about how this works in our Help article Using an Email Client with IMAP.

How can I be sure that no one else can access my email?

When you sign up for an email account, you select a username and a password that only you know. This ensures that only you can access the email that is stored in your account on the server.

As you can imagine, it is important that you choose a strong password to make sure that no one else can guess it. It’s also important to be aware of scams that may try to trick you into revealing information that could let someone gain access to your account.

End-To-End Encryption
End-To-End Encryption

However, to be certain no one can read your email even if they were to gain access to it, you can use encryption.

Email encryption can protect your messages all the way from your device to the recipient’s, by encoding them in such a way that it’s virtually impossible for someone unauthorized to unscramble them.

You can read more about this in our Blog post Email Encryption with Runbox and our Help article Encrypting Your Runbox Email.

We hope this article helped clarify what email is, how it works, and how to use it securely. For a more in-depth article, please see How Email Works.

Continue Reading →

Hardened web server security

We have recently hardened our web server security, giving Runbox an A+ rating on securityheaders.io — in addition to our existing A+ rating on ssllabs.com.

The policies we have implemented are the following:

X-Frame-Options: Tells the browser that we don’t allow the Runbox web site to be framed (included) by other web sites, which defends against attacks like click-jacking.

HTTP Strict Transport Security: Strengthens our implementation of Transport Layer Security (TLS) by making the browser enforce the use of encrypted communication (HTTPS).

Content Security Policy: Protects our web site from Cross-Site Scripting (XSS) attacks.

HTTP Public Key Pinning: Protects us from from Man-in-the-Middle attacks by making sure the TLS certificates used by the browsers are the ones implemented on our servers.

X-XSS-Protection: Sets the configuration for the cross-site scripting filters built into most browsers.

X-Content-Type-Options: Forces browsers to use the declared file content type instead of trying to be too clever, which helps to reduce the danger of drive-by downloads.

These changes will help ensure that your use of Runbox is as safe and secure as possible, and we will continue making security-related improvements in the future.

Continue Reading →

TLS Upgraded for Incoming Email

Today we have upgraded the TLS (Transport Layer Security) of our incoming email servers to support version 1.2, which is the most recent. This means that when email is sent to Runbox from other services, the highest level of encryption will be used if the other service supports it.

This also means that all communication between your email program and Runbox now uses TLS 1.2 (if supported by your email program).

 

Continue Reading →

Phishing message alert 2015.09.02

If you receive messages with the subject “ATTN: RUNBOX ACCOUNT USER” that appears to have been sent from “RUNBOX HELPDESK“, please delete them.

We are deleting all the instances of these messages we can find on the Runbox servers, but we might miss some.

These messages are not sent from Runbox staff and are an attempt to trick Runbox customers into entering their login information at malicious websites.

For more information about phishing, please see the Phishing section of this article.

Continue Reading →

Phishing message alert

If you receive messages with the subject “Pending message” that appears to have been sent from “Runbox Admin” <cusdept@nullrunbox.com>

or

Subject “Account Update” that appears to come from “MEMBERSHIP SERVICE” <membership@nullrbox.com>, please delete them.

We are deleting all the instances of these messages we can find on the Runbox servers, but we might miss some.

These messages are not sent from Runbox staff and are an attempt to trick Runbox customers into entering their login information at malicious websites.

For more information about phishing, please see the Phishing section of this article.

Continue Reading →

Domains and Privacy

From time to time we get asked why Runbox uses runbox.com as our primary email domain rather than our runbox.no domain.

The reason we are asked this is because some people assume that by using a .com domain all the Internet traffic to and from our servers is routed via the Unites States, and could be subject to US government eavesdropping.

(more…)

Continue Reading →

Outlook for iOS – Privacy Issues

Email Apps and Privacy

Back in May 2014 we reported on our investigations in to two smartphone/tablet apps that had been launched. We were worried to find that the apps did not use our outgoing SMTP servers directly, and instead sent email through non-Runbox servers. This made for much easier set up of accounts, but we didn’t like that it wasn’t obvious to the user what was going on.

Those apps were myMail and Evomail (the later is no longer available).

Outlook and Privacy

Outlook now has IMAP compatibility and is able to work with Runbox accounts, however, like myMail and Evomail it doesn’t connect directly to the Runbox SMTP servers for outgoing mail. In fact, we don’t know if it retrieves email directly from our servers either. We do know that it stores some details of your account on servers that are part of Amazon Web Services.

If this doesn’t bother you, then that’s fine as Outlook is turning in to a nice email app that sits nicely alongside the other Microsoft offerings for iOS and Android.

Using Email Apps that Connect Directly to the Runbox Service

We believe that for maximum security and privacy email apps should be connecting directly to the Runbox service and not connecting via other servers, or storing account details anywhere other than in the app on the device.

Usually if you have to enter the server details for incoming and outgoing mail then the app is likely to connect to those services directly. If you have any doubts about an app, please get in touch with Runbox Support and we will investigate how it behaves.

Continue Reading →